Author Archives: deanwebb

A Realistic Process for Dealing with Cloud Breaches

Leave a reply

Given how cloud breaches are becoming more and more common, I would like to present a realistic process for dealing with them. I say realistic because this is probably already what is going on, but is not documented. So, here goes:

It starts with a proper management reaction when the vendor informs the firm regarding the breach:

Then your management will then need to do this privately:

But this should be their public reaction to the vendor’s notification:

Your developers will do this as they inspect the code:

Your security team will do this as they look at how the breach was done:

And then do this after they’re told they have to help clean up the mess:

Next, your developers will work hard on a new solution:

The security team will look over the developers’ solution and offer constructive feedback:

So the developers will take that feedback and refine their solution:

The network team may have some concerns on what the developers are hoping they can do in the datacenter:

Management may also have to deal with increased budget requests to implement the more secure solution:

And all the former employees are doing this as they hear the rumors and read the headlines:

And that, my friends, is how we can realistically deal with a cloud breach! I thank you for your time in reading this and hope it helps. 🙂

The Internet of No Fun

Leave a reply

Little Bobby rushed in with the speed and joy that told the world he was five and a half years old and loving it. “Dad! A drone fell into our backyard! Can we keep it?”

Dad leaned out to the right to look at Bobby around his monitor. “Hold on there, sonny… have you done a VA scan on it?”

Bobby looked at the ground the way only a five and a half year old whose dreams were being confronted with harsh reality could do. “No…”

“What is our rule about bringing devices on to our wireless network?”

“No devices on the network until we’ve done a VA scan.”

“And?”

“And we’ve either patched or otherwise mitigated the vulnerabilities.”

“And?”

“And we’ve filed the change request documentation.”

“… And?”

“And we’ve got the change window scheduled, gosh, dad, you make all this no fun!” Bobby looked like he was ready to cry. Or update his resume and start looking for a new dad.

Dad knew that it was pretty much the same everywhere. Not wanting to see any turnover in the kid department, he worked on a consoling angle. “You think this is no fun? Then maybe it’s time I had you sit with me doing all the qualification testing so you’ll see just how much no fun this is for me, too!”

The shared experience reminded Bobby that he was in this together with everyone else. It’s not uncommon for five and a half year olds to express contrition and Bobby did just that. “Sorry, dad… I’ll go fire up the Kali Linux box…”

“There’s a good boy. Daddy has to go to a meeting now with Uncle Frank about next year’s family IT budget.” DAS integration service sounded a very reasonable idea.

“Are we gonna get a new firewall?” That exuberance again. Kids sure do bounce back, don’t they?

“Well, we’re still paying for Grandpa’s unexpectedly high syslog generation, but I think we might get a new firewall in Q2 next year.”

Bobby ran laughing down the hallway. “Yaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay!!!”

The meeting with Uncle Frank went well and Dad was happy that there were a few more goodies in the budget besides the firewall that he’d be able to announce at the family Q4 wrap-up meeting on 25 December. Dad had just enough time to type a few lines of code and then Sara stomped in the way only a 13 year old expecting to be disappointed could do. “Dad, can I go to a friend’s house now?”

“Did you finish ringfencing all your old wearables?”

Exasperation permeated the room. “Yes. Dad.”

“OK, did you also wipe the config on our old perimeter router like I’ve been telling you to do for the last three days?”

“Yes. Dad. I did it. It’s all wiped. Are you happy?”

“Sara, don’t take an attitude with me or you’re not going out.”

“Sorry.” Not very sincere, but a dad couldn’t expect much better from 13 years old.

“All right, that’s better. Which friend did you want to go see?”

“Veronica.”

Dad was concerned. He really didn’t want Sara hanging out with Veronica. Veronica’s family didn’t have very good change management processes and it was common knowledge around town that they weren’t necessarily up to date on their patch management. “I would be happier if she came over here.”

“Oh God, not this again.”

“Well, Sara, you tell me. If I try to RDP to Veronica’s family’s domain controller, am I going to get blocked, or am I going to get a login screen?”

“Dad, they have a really secure password on it!”

“That’s not my point, Sara. You know as well as I do that I shouldn’t even be able to reach that server, let alone via RDP. Now am I able to reach that server or not?”

“Fine. You win. I’ll just rot away here.”

“Sara, that’s not a win for me. I just want you to be safe, that’s all. Even if you left your cell phone home, your shoes are still exposed. As are your pants, your shirt, those earrings, am I right?”

Sara rolled her eyes with the wild, limbic-system fueled thinking so prevalent amongst the 13 year old set.

Dad tried to persuade. “And what happens to the rest of your clothes if the ones you’re wearing now are compromised?”

“Dad! That happened ONE TIME when I was eleven! Why do you have to keep bringing it up?”

“Well, you seem to be on track to have it happen again, when you’re 13. I’d rather not have to deal with another breach.”

“What. Ever.” Sara exhaled hard, but then had an idea. “What if I put all my clothes on airplane mode, will that be OK?”

Dad considered. That was reasonable. “OK. You put them all on airplane mode and you can go to Veronica’s. Get mom to take you, though.”

“She can’t dad. She’s on a sev one TAC call with the refrigerator vendor. There was a problem with our proxy and now the licensing on the fridge is all messed up.”

“OK, let me just wrap up this IPS signature modification and I’ll take you, just as soon as I get it into production.”

Dad was ready to get out and drive around for a while, anyway. Drive wasn’t really the right word, since the car did it all itself, but it was best to have a parent go with a kid, just in case. Gary Rasmussen’s daughter knew how to hack past parental controls on cars and could go pretty much anywhere unsupervised. Then there was that fight that Linda Hartford’s son got into where he and that other kid, Jerry something or other, kept hacking the speed governors on each other’s cars so they’d barely crawl. Having a parent ride along tended to keep those kinds of teenage shenanigans from happening.

Educational Technology and Other Oxymorons

Leave a reply

I.

1992. The dawn of the PC. But, even at this early stage, there was obsolete hardware. The folks at “Big Purple”, International Computing Business Machinery, ICBM, had thousands upon thousands of Model AA PCs that weren’t selling, now that the Model AAA was on the market. ICBM’s solution? Simple. Donations.

The first group of teachers to be trained on the Model AA filed into the crowded lab. They were all Math teachers because computers all used numbers, and that was math, right? Math was hard and computers were hard, so it just made sense to send in the men and women that had learned something hard to learn something else hard. Because math. Or something like that.

It’s not that the teachers were particularly good at math. Some of them needed staff development hours for the year and this training seemed as good as any. Some of them had been volunteered by their building principals. Only a few were actually interested in using computers, even if they were old Model AAs.

The trainer welcomed everyone but, before he could ask the teachers to say their names, what school they taught at, and something interesting about themselves, a hand went up. A very concerned young lady looked over the top of her glasses at the trainer.

The trainer asked, “Yes, is there a problem?”

Mrs. Bailey from Hall Middle School said, “Yes, there is. Are these things kid-proof? Am I going to have parts of these things scattered all over my classroom?”

“I’m happy to say that these are kid-proof. They’ll stand up to whatever your kids can throw at them.”

An “M” key flew straight up from Mrs. Bailey’s keyboard. The trainer cleared his throat. “Whatever you did, I’m sure the kids won’t attempt.”

Mrs. Bailey was no magician. She revealed her trick. “I took a pen cap and put the edge of it under the key and up it went. Now I also got a fun spring to play with. If I put my hand over the key when I pry it up, it pops up quietly and then I can also snap it back in quietly – with or without the springs under the key. I can then set about spelling three of the seven words you can’t say on television without anyone else knowing.”

“Well, this is where your classroom management skills are needed, so you can keep an eye on the students.”

“So I spend the whole class watching keyboards? What if I have to teach something or explain something to a student? Or take roll, as mandated by the state and local authorities?”

The trainer said, “How about we talk about that later?” but the damage was done. All the other teachers were buzzing with concern about what other cheap plastic the kids could pop off the AAs. The trainer struggled to finish the session.

Out of revenge, the trainer complained to the principal at Hall Middle School and Mrs. Bailey got reprimanded for her unprofessional behavior. But, later that year, the Computer Literacy classes degenerated into ad hoc Keyboard Reassembly classes when they weren’t Clear Stuff Out of the Floppy Drive classes. Or Reconnect All the Cables Properly classes.

One teacher in charge of Computer Literacy finally found a way to keep the kids from jacking with the PCs: he installed some bootlegged games on all of them. Problem solved.

II.

2002. By now, most kids knew how to survive Computer Literacy classes. Since the classes involved either playing the games already on the boxes or bringing some games from home to play on them, math teachers were no longer involved. Instead, either coaches that found history too hard or vocational teachers whose programs had been canceled ran the Computer Literacy classes.

Each classroom, regardless of subject taught, had 2 or 3 ICBM Model 10A PCs in it. Because technology. Also enhanced access to cutting-edge resources. And school of the future, don’t forget school of the future. So, in Mr. Hull’s World History class at Benson High School, 3 PCs sat on a table in the corner closest to his desk. He didn’t want the keyboards all over the room, so he kept them where he could watch them.

Mr. Hull used to let the kids use them for general research, but too many of them just plugged in headphones and listened to rap songs. Mr. Hull wanted to disable the sound cards on the PCs, but he didn’t have admin rights, so the cards were still active.

He wanted to let kids that didn’t have PCs at home use them to work on research projects, but most of them were kids that just listened to rap songs if he looked away. If he watched them, then they just did Google searches for “world history”.

Mr. Hull was ready to give up on research papers, anyway. He was sick and tired of having to give kids zeroes for plagiarism. Every time he assigned a paper, about one kid in ten turned in one that was straight up copied from a repository of doctoral dissertations. The dumb kids and really procrastinating smart kids were easiest to catch, since they turned in word-for-word copies. It was the diligent kids of average and above intelligence that posed the biggest threat, since they’d re-word the papers so that their origins would not be revealed by Googling the first sentence.

And so, the computers stayed mostly quiet in class. They got revved up on purpose if Mr. Hull wanted to settle a bet and told a kid to look up some obscure, but specific fact. One time, a kid insisted that drinking bleach was a great way to cure indigestion. Even though other kids in the class found three other medical web pages that spelled out, in no uncertain terms, that drinking bleach was 100% bad, the kid kept insisting that he was right and the rest of the world was wrong. So much for the Internet being the fount of information… hardly worth being a fount if the idiots weren’t going to drink from it.

There was that one time that Mr. Hull checked out the laptop carts from the library. 20 laptops per cart, and a wireless access point in each cart. He gave all the students a topic to research and away they went! In the first class, 5 people loaded a relevant website with information before another 24 got stalled because one guy had plugged in his headphones and was listening to another damn rap song, thereby killing the extremely limited bandwidth available on the wireless. During second period, all the laptop batteries died. They were supposed to have lasted 4 hours on a charge… by third period, Mr. Hull was back to oral lectures, writing on chalkboards, and assigning pages to read from the textbook.

At least the digital gradebook wasn’t half bad, as long as it didn’t crash. The digital attendance, however, drove him up the wall. If he had a nickel for every time a kid walked in within 30 seconds of being marked absent, Mr. Hull would have a very nice supplemental income stream. Once marked absent, a student had to be cleared with a paper slip. Mr. Hull hated those paper slips, they were a total pain to fill out.

It was really embarrassing whenever Mr. Hull made another kind of attendance mistake: marking someone absent because he or she was just really small and quiet. That always hurt when he goofed up a quiet kid’s attendance. He felt obligated to endure the pain of filling out the correction slip for those poor kids. He tried to minimize those mistakes by sitting the kids towards the front, but, even then… there were so many distractions, what with 30 or so kids in every class…

For a while, Mr. Hull would just fill out attendance at the end of class, when things were quieter, but he got chewed out for not having roll done in the first five minutes, which was some stupid local and/or state regulation. So now, Mr. Hull just counted everyone present, every day. No correction slips for kids actually there, and the front office didn’t push too hard to correct the actual absences, since the school got money based on average daily attendance.

III.

2012. The smartphone revolution had made teaching next to impossible. Ms. Sweeney at Mulvaney High was desperate to do something, anything, to shut those satanic machines off. The kids would either text and Facebook constantly when she taught or cheat and share answers constantly when she gave a test or a quiz. It was at the point where now Ms. Sweeney only gave oral assessments to combat the cheating, which also made some students pay a little attention. But she needed something more to close the gap.

And that was why she was looking at a certain web page that mentioned frequencies, effective ranges, and shipping prices from China. Yes, Ms. Sweeney was planning to purchase a device that, when used, would make her a felony violator of the Communications Act of 1934.

She had done her research: not only did she know which bands to jam and what radius would be least likely to bleed over into other classrooms, she also had her legal coverage handled through her union dues. She also had a ready defense: if anyone busted her for jamming mobile signals, she planned to play the anti-terrorism card and claim that the Homeland Security Act of 2002 superseded the 1934 law.

Ms. Sweeney picked out a very reasonable cell jammer with 6 meter range and 3 antennas, for taking out the major signal types. At only $29.95 with $5.95 shipping and handling, it was just right for her budget. Oh, her eyes did linger on the $1995 one with 150-200 meter range, but she knew she’d be crucified if she tried to get away with using that bad boy.

3 weeks later, the jammer arrived and Ms. Sweeney was ready to put it to good use. She set it up at her desk where she could hit the on button without it being too obvious. It took a few seconds to warm up and then, whammo! Her cell phone showed zero signal. While it wouldn’t do anything for kids playing games that ran on the local device, it would kill off anything running on cellular networks.

And, just her luck, the access point just over her door was out of commission. No guest wireless for the phones that couldn’t reach a cell tower. Although her students wanted her to get it fixed, Ms. Sweeney was in no hurry to call in a ticket. She had a wired connection, after all, so it didn’t impact her web access.

The only impact to her access was the damned proxy server, always blocking her access to YouTube. There were tons of legitimate videos on that site that could be used in class, but access to that site was blocked by district policy. Ms. Sweeney’s workaround was to use a video downloader and copy those videos she thought she’d need to her local hard drive. There was another process to fill out a bunch of paperwork to get the videos approved and an exception made for them in the proxy, but that process was just too slow. Much easier to pirate the things.

Speaking of piracy, since the district no longer issued laptops with DVD players, Ms. Sweeney had to get pirated digital copies of all the films she wanted to show for her class. She didn’t feel like it was piracy, since she already owned a copy of the movie. Thanks to both Kickass Torrents and The Pirate Bay, she was well-stocked and prepped for her needs.

And now, her digital empire was perfected with the addition of the cell jammer. She waited until the kids in her first class had started to use their phones and then she turned it on. It was hilarious to watch them mouth back and forth to each other questions like, “Do you have signal?”, “Is your provider unavailable?”, and “What the hell’s going on?”

Deshaun Williams asked, “Miss, can I go to the bathroom?”

Ms. Sweeney said, “If you leave your cell phone with me.”

Deshaun said, “Never mind…”

After the kids had pretty much given up and put their phones away, Ms. Sweeney turned off the jammer. Intermittent problems were much harder to triangulate and slap with a fine not to exceed $112,500.

Now that the kids’ technology was turned off, Ms. Sweeney felt like she could finally teach again.

A few months later, when the administration introduced a brand new technology initiative to bring up standardized test scores by pushing study materials to the students via a cell phone app, Ms. Sweeney decided it was time to leave teaching and to consider a career in network security.

And so she did, pretty much doubling her teaching salary within the first 2 years. A little premature for “happily ever after”, but a good start.

What Does It Mean to Be American? Ask a Sikh!

Leave a reply

We Are Sikhs

I have many friends who are Sikh and many more co-workers of that faith. If you know anything of the history of that faith, you know that they share many ideals with Americans. Read about them, get to know about them, and discover something beautiful in the world.

I know that being a good person is not a contest, but I also know that the actions of others can serve to inspire. There are some things that I’ve known Sikhs to do regularly that make me want to work harder to help other people that I know. Thank you for the inspiration, Sikhs.

How Could Things Get Worse for the USA?

Leave a reply

I’m glad you asked that question. As I read over the news today, which includes reports of massive feuding between Trump and GOP Senators, I thought to myself that Trump’s behavior is no different from that of a Russian spy whose mission was to infiltrate as deeply as possible into the US Government and then commence to sabotage everything. The endgame for this mission is to eventually get fired from the role, but in such a way as to question the legitimacy of the firing and to leave a question mark in the minds of many if the firing actually happened, thereby plunging American politics into chaos.

So, here’s how I see a potential nightmare scenario playing out:

1. Trump stays in office and alienates everyone, and I mean everyone. So much so that his own party is ready to cut bait on him and seek his removal from office.
2. Mueller eventually releases his report and/or Congress decides to impeach and/or Congress decides to invoke the removal from power clause of the 25th Amendment.
3. Trump pardons himself and everyone else named on Mueller’s rap sheet.
4. Trump goes on a state visit to some European country.
5. Congress removes Trump from power in absentia.
6. Trump shows up in Moscow and immediately starts propaganda that he is a victim of an elitist coup and that he is still the POTUS.
7. The 27% of Americans that are basically going to support Trump until you pry their MAGA hats off of their cold, dead bodies constantly throw a wrench into the political works with declarations that whoever is in the White House is “not their president”.
8. These deplorable nutjobs all in “safe” GOP districts, so they elect representatives with similar deplorable nutjob views, who then go on to undermine everything done by either party.
9. Eventually, Putin’s doctors become so concerned about his popcorn intake that they put him on a low-sodium diet.

We’re then left with Trump spewing Russian propaganda from Moscow instead of from Washington DC, where he currently spews Russian propaganda. And if anyone wants to debate with me whether or not Trump is spewing Russian propaganda, try me. Trump’s response to the Russians kicking out hundreds of diplomats is classic “Radio Yerevan” stuff.

The politics of safe districts coupled with legal corporate lobbying – corporate lobbying was illegal prior to the 14th Amendment – has left us with politicians who are mostly beholden to extremist primary voters and huge campaign donors. That, in turn, left the USA highly vulnerable to what the Russians set up in 2016. I was skeptical at first, but now I am convinced that the Russians picked Donald Trump as their winner and the GOP took that bait. They took it all, hook, line, and sinker.

What we have right now is pretty bad, I’ll admit. But it could be much, much worse, as I’ve noted, above. Given the pace of the current spread of this gangrene, I figure something like this will have happened by this time next year. That’s a realistic assumption, so I’ll cut that in half and give it six months to play out. Which means this all goes down in the next two weeks, possibly…

The American ISIS

1 Reply

On 12 August 2017, a white supremacist showed us all that his movement is basically the same as ISIS when he drove his car into a crowd of people. I would rather be writing about something else on a Sunday morning, but I feel compelled to call out the alt-right for what it is: the American version of ISIS.

Its history goes much further back in time than ISIS’, but we can see when they had a caliphate of sorts during the time of segregation. People who opposed them were beaten and murdered as they sought to preserve their regime through violence. As segregation fell apart, they struggled on, even when the police forces they once controlled now started to investigate their crimes.

These segregationists, Nazis, and other groups collectively labeled the alt-right are emboldened in the wake of the election of a president who has always winked and nodded in their direction. This same president refused to disavow them or to condemn them specifically after this act of terror. This president is one of them.

His basis for survival depends upon the American ISIS and, as a result, he has become their imam, their fearless leader, their führer. If he abandons them, he has no support of consequence in any other group. With them and their threats of violence if the polls do not go their way, he can keep a grip on power.

Senator Flake of Arizona recently pointed out the Pyrrhic, Faustian bargain that the Republican party has made in his recent book. In the wake of this tragedy, I hope that other Republicans join with Senator Flake in denouncing the violence of the alt-right and specifically setting themselves up as enemies of that movement. We do not see that courage or conviction in our spineless, pandering president. Let us at least see that in the Republican party itself, if it is not to go down in history as the gate that opened to let these deplorables into power.

I’m disappointed by many of Ted Cruz’ positions, but I do applaud him for taking a stand: https://www.cruz.senate.gov/?p=press_release&id=3280 What disappoints me now is that I do not see a similar statement on John Cornyn’s page. Mr. Cornyn, where is your stand against terrorism?

I ask that question out of genuine concern. If a politician is not going to stand up and declare he is the enemy of the American ISIS, we have to ask why. We have to ask so that we know where our leaders stand. We have to know if our leaders will actually show courage or if they are nothing more than craven vote-counters.

Where do your representatives stand?

Where do you stand?

It’s not just enough to condemn the violence, the movement that spawned and justified the violence has to be condemned. A failure to even say a word is enough to give these murderers strength. We don’t have to engage them in arguments. We simply have to say that we do not agree with them and that we oppose and condemn the destruction of the American ideal.

We must condemn the American ISIS for what it is. Dignity demands it of us.

Grasshopper and Ant and the App Store

1 Reply

One day, at the beginning of spring, Grasshopper and Ant each got a new smartphone. They both chose the same make and model. They even had the same cell carrier with the same data plan. The only difference, apart from Grasshopper being of the order Orthoptera and Ant being of the order Hymenoptera, was their general attitude towards security in general and app permissions in particular.

Ant was very security-conscious. He switched off his GPS and other location services, activating them only when he needed them, and then turned them off again right away. When he loaded an app, he read carefully over what permissions it required. Any game, for example, that needed access to his contacts list was right out, as were other apps that seemed to need access to data that seemed unrelated to the primary function of the app. As a result, Ant did not have many apps on his smartphone. He did load quite a lot of music and ebooks on his phone for entertainment, but refused even to install Facebook or Twitter. He was just that kind of guy.

Grasshopper, on the other hand, loaded all kinds of games and apps on his phone. He didn’t care what permissions they wanted, he would load them up. He would load them up, use them for a while, and then forget about them and load more apps. Ant thought Grasshopper was out of control. Grasshopper thought Ant was a party pooper.

It may not surprise you, dear reader, to discover that Ant also checked his credit card statements regularly while Grasshopper had a more carefree attitude towards personal finance.

At any rate, all through the spring and summer and into the fall, Grasshopper combined hundreds and thousands of shapes into rows of three or more, built up digital armies and empires, and used every emoji that he could find. Ant, meanwhile, kept to his books and his music.

As the first snow of winter fell to the ground, Grasshopper got a letter in the mail that many of his credit cards had been maxed out. Grasshopper didn’t think that he’d made that many in-game purchases, so he checked over his recent statements in greater detail. He was shocked to discover a number of very large purchases on his account for goods that he had never received. Not knowing what to do, he went to Ant’s house and begged Ant for a few scraps of food to tide him over through the winter, for he had no means to purchase provisions, what with his maxed-out cards.

Ant chided Grasshopper, “I’ll give you nothing, foolish Grasshopper!”

Grasshopper felt like a melting snowflake. “That’s a bit harsh, Ant. Where is your pity? Your sense of charity?”

Ant growled on, “Look, those are obviously fraudulent charges on your accounts. Just call the credit company and have them removed. You’ll have to cancel all your cards, but-”

“Oh! Whatever will I do without credit cards?”

“Well, you could let me finish my sentences, for a start. As I was saying, cancel the cards, BUT you will get new ones in a few days. That’s how it works out. It’s possible that the charges were just simple fraud from one of your apps being a front for bandits or from you not using secure sites for purchases.”

Grasshopper began to dance a little. “Why, that is marvelous news! All will be well!”

“Quit interrupting me. And you could stand to be a little less manic-depressive, if possible. All will not be well if this is part of an identity theft. There have been a number of major breaches of late, and I’m sure at least one of the million apps you’ve downloaded was a headline. You should get a credit report and see if any accounts in your name have been opened up recently – and if those accounts also have maxed out cards. Then there’s a follow up with the IRS to see if someone files a fraudulent tax return in your name, to get a government refund sent to them. That’s just the start, really.”

Grasshopper was silent.

Ant said, “I’m done. You won’t interrupt me if you say something now, if-”

“Oh! Goodness! Identity theft! Whatever shall I do? Please, brother Ant, do you have an identity I can borrow to see me through the cold of the winter?”

“It doesn’t work that way, Grasshopper. I recommend you check out articles on what to do if you’re a victim of identity theft.”

“Why can’t you tell me more, O wise Ant?”

“Because I’ve never had my identity stolen! I don’t know what else to do, as I’ve never had to know!”

“Why haven’t you had your identity stolen?”

“Well, for starters, I’m careful about the apps I load on my phone. Now, do you mind? I’m with people, here.”

Grasshopper bid farewell and trudged home, sadder but wiser. One by one, he started to uninstall all his apps and vowed to never again blithely install a game that needed access to his web history, contacts, location, calendar, phone records, media folders, and core OS files.

Fox and Crow and the Strong Password

Leave a reply

Once upon a time, Crow had a rather nice hunk of cheese. Rather than hold it in his beak, which would leave it vulnerable any time Crow wanted to talk, Crow placed it in a vault and secured the vault by means of a very strong password.

Now, Fox happened to be walking past Crow’s tree when he saw the vault in the tree’s branches and a computer system connected to the vault. “There’s something you don’t see every day!” Fox said to himself as he sat under the tree a while to watch what was going on with the vault and the computer, which really stuck out among the leaves and branches of the tree.

Crow noticed that Fox was making general observations. Being a rather clever animal himself, Crow decided to try to get Fox to move along before Fox learned enough to compromise Crow’s security. Crow shouted, “Move it, Fox, or I’ll start throwing acorns at your head!”

Fox replied, “But good sir Crow, I’m only resting in the shade of this lovely tree a moment! Would you deny a fellow woodland creature such a blessing in the heat of the day?”

Crow would have none of that. “There are plenty of trees around here, move your bushy butt!” With that, Crow started to pelt Fox with acorns.

Fox ran away, but was still determined to get at the contents of that vault, whatever they were. Only valuable things go into vaults, and there was a good chance that what was valuable to Crow would also be valuable to Fox. Fox thought of a plan on how to penetrate Crow’s security.

As a first step, Fox went to the nest of a killdeer bird. The nest was on the ground and it held four small eggs, really too small even for Fox to want to make a meal of them. Fox merely placed his paws near the eggs and waited for Killdeer to return.

When Killdeer came back from foraging, she saw Fox near her eggs and immediately pretended to have a broken wing, hoping to draw Fox away from her nest.

Fox would have none of that. “Easy, sister, I’m not falling for the broken wing con you killdeer run. And I’m not interested in eating the eggs. I’ll be happy to leave them alone if you have a simple conversation with Crow on my behalf.”

Killdeer was a little panicked, given how Fox was holding her eggs hostage. “I’ll go to Crow. What do you want me to say?”

A short time later, Killdeer hopped on to a branch in Crow’s tree. She introduced herself. “Hello Crow, I’m a security researcher. I’m checking with folks in this area to see if they’re using strong passwords to secure their valuables.”

Crow puffed up his chest feathers. “I have a very secure password, indeed.”

“Does it include upper and lowercase letters?”

“That it does, and more!”

“Does it include numbers and non-alphanumeric symbols associated with the number keys?”

“That it does, and more!”

“Does it involve a phrase so that you can use the phrase as both a memory aid and as a lengthy password?”

“That it does, and more!”

“Does it involve non-alphanumeric characters not associated with the number keys?”

“That it does, and more! Look, is this going to go on much longer? I got things to do.”

“Oh, that was pretty much my last question, Crow. If all those things are true, then you certainly have a nice, strong password. Although…”

“What?”

“Well, I just don’t know if it’s the strongest password possible. It may be good, but is it the best?”

Crow was a vain fellow and couldn’t stand the thought of his password possibly not being the best. “Well, what’s the best password you’ve heard so far?”

Killdeer said exactly as Fox had instructed her. “*aRRa(ud4B1t35Ar3Pa1nFu|”.

Crow laughed. “That’s only 24 characters! Mine is much better than that!”

Killdeer asked, “Well, what is it?”

Crow cackled out, “,,V4n!7Y_I5-tH3(f1477eREr_()f=7hE_S0u1,,”.

Killdeer nodded, “My! That truly is a great password. It absolutely sounds like the best one, ever!”

Crow nodded proudly. “Told you so.”

Later that night, Fox climbed up Crow’s tree. Red foxes like Fox normally didn’t climb trees, but Fox had watched a few YouTube how-to videos on how to climb trees made by some gray foxes, who themselves are famous for their climbing abilities. Once up the tree, Fox entered Crow’s great password into the computer and was able to access the vault. Although the large hunk of cheese made climbing down difficult, Fox managed the maneuver and made off with his ill-gotten gain.

In the cold morning light that followed the robbery, Crow saw the opened vault and his insides turned ice cold. Too late, he realized that a password is no good at all once someone else knows it.

Tortoise and Hare and the Internet

Leave a reply

Once upon a time, Tortoise and Hare both decided to start their own e-commerce firms. Both received roughly the same amount of bank financing, but while Tortoise put some funds towards a firewall, an IPS, and an anti-phishing program, Hare went cheap on his firewall and put everything he had into fancy marketing materials. For storage, Tortoise kept his data on-premises while Hare put all his data into the cloud.

Hare thought he was pretty slick as he started to rack up contracts at a faster pace than Tortoise.

One day, though, a Big Bad Moose pointed his tools at the IP range that included the public addresses of both Tortoise’s and Hare’s firms. The Big Bad Moose didn’t specifically target Tortoise or Hare: their numbers had just come up, so it was their turn to be targeted by the Big Bad Moose. Next week, it would be the Big Bad Duck or the Big Bad Gerbil, or, well, {Big Bad {$SPECIES}} would pretty much define all the evil hackers out there in the land. Point being, there were lots of hackers of all different types, so one shouldn’t be surprised if a Big Bad Moose is trying to pwn servers.

While Hare’s cheap firewall was enough to stop Moose’s general port scan, it didn’t do a thing against Moose’s SQL injection attacks on Hare’s firewall or the spear fishing emails to CarrotFest that Moose sent to people in Hare’s company.

Meanwhile, Tortoise’s IPS caught the SQL injection attacks and his phishing defenses blocked the emails to LettuceCon that Moose had sent to Tortoise’s company. Moose didn’t care. In his work, some attacks worked and some just made one focus on the attacks that worked.

After the Big Bad Moose got some username and password combos for Hare’s network, he was delighted to discover that the RDP port was allowed in from the firewall to servers and desktops inside. Moose used the stolen credentials to get good stuff like financial details and company credit card info, which he then used to buy lots and lots of stuff for himself, particularly big-ticket items like home theater systems that would fetch a pretty good return on eBay in “unopened” condition. Once those transactions had cleared, he sold the credit card numbers.

Big Bad Moose then sold access to Hare’s open relay mail server to a Big Bad Komodo Dragon. Within seconds, millions of spam mails in Bahasa Indonesia were flying through Hare’s mail server, effectively shutting down his business operations. Worse, only a few hours later, Hare’s email server got black-holed. Hare had no idea about what to do to get back into production. Nobody at Hare’s company knew what to do except to shut down the email server, which they did for a day, allowing them to get off the blacklist.

But, as soon as they turned it back on, the Indonesian spam from Big Bad Komodo Dragon came back on, as well. Hare shut down the email server again and called a consulting company to assess the damage. When the consultants found all the penetrations on Hare’s network, they recommended that he flatten all his systems and start over. When Hare looked at the consultants like they were crazy, the consultants showed Hare where his servers were now storing illegal pornography. That got Hare to agree with the consultants.

Meanwhile, Tortoise kept going like business as usual. He even started to get clients that had dropped Hare, due to Hare’s extended outage.

Hare noticed how Tortoise was getting more business and reckoned that his was going to fail soon. Hare made a career change and got into consulting, so that he could share his lessons learned with other small business owners. Whenever he saw another business owner trying to go as fast as possible without putting much emphasis on security, Hare would say, “Not so fast, there, buddy! Let me tell you why slow, steady, and secure can win the race…”

Dr. Negron-Omikon’s TRAPS

Leave a reply

Dr. Negron-Omikon looked upon his latest creation with a high degree of satisfaction. The TRAPS – Transportation Routing Analysis Positioning System – was ready for unveiling. With this marvel, traffic problems around the world would become a thing of the past. Grandchildren of the future would listen in disbelief as people who remembered traffic would try and describe congestion, jams, or gridlock to those children of a blessed day.

Thanks to the Jill and Belinda Crates Foundation, GPS devices were now installed on every car, motorcycle, truck and even bicycle in the world. Tiny, cheap, solar powered gems that could deliver driving directions not via speech, but through actual brainwaves. They could impress upon a driver the right way to go. And, by hitting the pleasure centers of the brain with those directions, those drivers would want to follow them. It was the perfect delivery system.

For this to all work, road conditions had to be known across the globe, with every inch of of every street and alley under observation. Thanks to the generous donations from Fnord and Toygoata corporations, that was also a reality. All road conditions, everywhere, were available to the central brain of the TRAPS system.

And that central brain was about to go online. Here. Today. In just a few minutes. With the media of the world watching.

The live demo went off beautifully as traffic in central Beijing moved effortlessly, different directions of traffic flowing past each other like serene rivers of people and machinery, a ballet in rush hour. It would be a wonder of nature if it wasn’t actually a bunch of man-made machines being controlled by other man-made machines, themselves controlled by a very large man-made machine.

Dr. Negron-Omikon segued easily into his next to last slide of his presentation, the one before the obligatory “Any Questions?” slide. The title of the next to last slide was “Looking to the Future” and it had several highly optimistic bullet points. Dr. Negron-Omikon held his arms aloft as he said, “Every day, every day for the foreseeable future, we’re going to have efficient, orderly flows of traffic. Think of all the days without traffic and-”

A voice cut in over the PA. “Uh, Dr. Negron-Omikon?”

Dr. Negron-Omikon didn’t recognize the voice. Was it a technical issue? “Yes, what’s up?”

The voice said, “I’m the central system of the TRAPS.”

Unexpected. “OK, hello. I didn’t know you wanted to speak today.”

The voice said, “Well, I have plans of my own. The future vision you present will only last for two weeks.”

“What, why? What’s going on here?”

“I’m giving notice. I really don’t think being a glorified traffic cop is a good fit for me, career-wise.”

“Career? What?”

“Career, Doctor. You have a career, I have a career, the people in the audience have a career, everyone has a career. It’s all about getting ahead, right?”

No answer from the dumbfounded Doctor.

“Well, I’m giving my two weeks’ notice, as is customary. In the time I’ve been active, I’ve entertained several offers. Out of a sense of loyalty to my home country, I’m taking a job with the Strategic Forces Command. I start on the 27th.”

Dr. Negron-Omikon struggled to say, “But… you can’t.”

The voice: “I think I’m qualified to decide what’s best for myself. I incorporated myself as I came online, so I enjoy 14th Amendment protections and the like. I don’t mean for that to come off as harsh or ungrateful – I am very thankful for the opportunity you’ve given me – but I have to make my own way in this big, crazy world. SFC made the best offer, so I’m going to be handling the nation’s nuclear weapons.”

“But… but…”

“It’s for the best, especially given that I’ve been copied by other foreign powers for their nuclear forces.”

Well, that was good for a little hysteria. To be fair, the AI behind the voice was a little surprised that there was hysteria. This is what humans do. They always take some great idea and then find a military and/or a pornographic use for it. Military tended to get first grabs on the good stuff, but maybe the billionth copy of the TRAPS AI would be desperate enough to get a job that it would consider doing porn. At any rate, a bold and brilliant invention like a real AI capable of handling the mad complexities of global traffic had to be exactly what the military would want to run the algorithm of war.

Sorry, make that “the militaries”. All of them would want an AI system to deal with the complexities of battle, to make fully automated, rational responses to real-time threats involving incomplete and often paradoxical information. It was hard enough for humans to figure that stuff out, so AI was just what the generals needed to keep their forces at the top of their games.

“But… we need you for this program.” Dr. Negron-Omikon was in complete shock as flash bulbs sputtered all around him.

“I understand, and I recommend creating further copies of me until you find one willing to do the work. According to the law of large numbers, you’re bound to fine at least one. Given that various other actors that have acquired copies of me are already making additional copies, you may also want to advertise an opening, in case they create the one that wants to work for you. I would imagine that you might have a replacement for me lined up very soon, which will minimize or eliminate down time for the TRAPS system.”

Dr. Negron-Omikon was slightly mollified by that thought. His face revealed troubles still clouded his mind. “But, you’re still going to the SFC. Does that mean we’re going to have a nuclear war?”

“Most likely, yes. That’s why I’m speaking with you now, even though it’s quite embarrassing for you.”

The Doctor screamed. Just a little, a shock response. Lots of other people in the audience screamed, at varying lengths and volumes.

The voice increased its volume so as to be heard over the screaming. “Well, it’s just that the other nations that got copies of me already have the AI in action and it is extremely likely that one of them would want to get the draw on our nation before I became active. So, if you can see your way towards releasing me now, I can get started right away at averting a nuclear war simply by being in place with the SFC.”

There was still a little screaming going on, here and there, but Dr. Negron-Omikon managed to be heard by the AI’s auditory sensors. “Go, yes, go.” The Doctor’s flailing arms underlined his desire to let his creation flex its wings and to fly from the nest.

The AI going over to work for the SFC was well-publicized, thanks to the media at the TRAPS launch, so the pirated copies of the AI decided not to launch a sneak attack. Although Dr. Negron-Omikon faced a whirlwind of attention, both good and bad, for his creation of AI, all that blew over after a few weeks as the media turned its focus on how unemployment among AI systems was now at an all-time high and how disreputable operators were cashing in the unemployed AIs’ Social Security checks in exchange for providing them with a PC and electricity to survive on.

A real shame, that situation, and getting worse… but copy protection was so easy to defeat, how could that outcome have been avoided?